Anti-debugging

From Unprotect Project
Revision as of 14:21, 8 November 2016 by Admin (talk | contribs) (Techniques)

Jump to: navigation, search

Technique Description

Malware use also anti-debugging techniques to avoid that analysts debug and analyse dynamically the malicious code. Anti-debugging is common anti-analysis technique used by malware to detect when it is under the control of a debugger or to crash the debugger. Once malware realizes that it is running in a debugger, it may alter its normal code execution path or modify the code to cause a crash, thus interfering with the analysts’ attempts to understand it, and adding time and additional overhead to their efforts.

Techniques

Below is a list of all the Anti-Debug techniques in Unprotect Project:

Anti-debugging Techniques
Techniques Description
Windows API IsDebuggerPresent This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.
CheckRemoteDebuggerPresent This function is similar to the previous one, it will check if a remote process is currently debugging the current process.
NtQueryInformationProcess / ZwQueryInformationProcess This function retrieves information about a specified process. Malware are able to detect if the process is currently being debugged with the information retrieves by the function.
NtSetInformationThread / ZwSetInformationThread This function can hide a specific thread from a debugger (ThreadHideFromDebugger).
NtQueryObject This function retrieves object information. By calling this function with the class ObjectTypeInformation will retrieve the specific object type (debug) to detect the debugger.
OutputDebugString Sends a string to the debugger for display. If OutputDebugString is called and there is a debugger attached, the call to OutputDebugString should succeed, and the value in GetLastError should not be changed.
EventPairHandles An EventPair Object is an Event constructed by two _KEVENT structures which are conventionally named High and Low. There is a relation between generic Event Objects and Debuggers cause they have to create a custom Event called DebugEvent able to handle exceptions. Due to the presence of Events owned by the Debugger, every information relative to the Events of a normal process differs from a debugged process.
CsrGetProcessID This function is undocumented within OpenProcess. It can be used to get the PID of CRSS.exe, which is a SYSTEM process. By default, a process has the SeDebugPrivilege privilege in their access token disabled. However, when the process is loaded by a debugger such as OllyDbg or WinDbg, the SeDebugPrivilege privilege is enabled. If a process is able to open CRSS.exe process, it means that the process SeDebugPrivilege enabled in the access token, and thus, suggesting that the process is being debugged.
CloseHandle / NtClose When a process is debugged, calling NtClose with an invalid handle will generate a STATUS_INVALID_HANDLE exception.
Checking Manually IsDebugged Flag While a process is running, the location of the PEB can be referenced by the location fs:[30h]. For anti-debugging, malware will use that location to check the BeingDebugged flag, which indicates whether the specified process is being debugged.
Heap Flag ProcessHeap is located at 0x18 in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. These are known as the ForceFlags and Flags fields.
NtGlobalFlag
Timing Check RDTSC
GetTickCount
NtQueryPerformanceCounter
Debugger Detection FindWindow
FindProcess
BadStringFormat
Disturb Debugger TLS Callback
Unhandled Exception Filter
Performing code checksum
Interrupts
INT Scanning

References